INDUSTRY WATCH
Lurking in the Shadows – key insights
y
y
y
y
y
A total of 29 % of web attacks targeted APIs over 12 months ( January through December 2023 ), indicating that APIs are a focus area for cybercriminals . The attacks on APIs include the risks that are highlighted in both the Open Web Application Security Project ( OWASP ) API Security Top 10 and the OWASP Top 10 Web Application Security Risks , with adversaries using triedand-true methods like Structured Query Language injection ( SQLi ) and Cross-Site Scripting ( XSS ) to infiltrate their targets . Business logic abuse is a critical concern as it is challenging to detect abnormal API activity without establishing a baseline for API behavior . Organizations without solutions to monitor anomalies in their API activity are at risk of runtime attacks like data scraping – a new data breach vector that uses authenticated APIs to slowly scrape data from within . APIs are at the heart of most digital transformations so it is paramount to understand the industry trends and relevant use cases , such as loyalty fraud , abuse , authorization and carding attacks . Organizations need to think about compliance requirements and emerging legislation early in their security strategy process to avoid the need to re-architect .
Lurking in the Shadows analyzes some of the most common problem areas regarding posture and runtime challenges . y The top sectors suffering the highest percentage of web attacks that targeted APIs were manufacturing at 31.2 %, followed by gaming at 25.2 %, high tech at 24.4 %, video media at 24.0 % and commerce at 22.3 %. y The top five regions with the highest percentage of web attacks targeting APIs were South Korea at 47.9 %, Indonesia at 39.6 %, Hong Kong SAR at 38.7 %, Malaysia at 26.4 % and Japan at 23.4 %. This was followed by India ( 19.0 %), Australia ( 15.6 %), y Singapore ( 5.8 %), the Philippines ( 5.5 %) and New
Zealand ( 4.8 %). y In APAC , top attack methods include Local File Inclusion ( LFI ) at 16.8 %, Server-Side Request Forgery ( SSRF ) at 11.8 % and Web Attack Tool ( WAT ) at 10.4 %. Attackers are also favoring the use of newly surfaced vectors , like CMDi at 9.1 % – which underscores that adversaries are continuously finding new methods and avenues to exploit targets . y Business logic abuse is a critical concern as it is challenging to detect abnormal API activity without establishing a baseline for API behavior . APAC organizations without solutions to monitor anomalies in their API activity are at risk of runtime attacks like data scraping – a new data breach vector that uses authenticated APIs to slowly scrape data from within . y Bot requests are also concerning in APAC – nearly half of the more than two trillion suspicious bot requests were aimed at APIs . y APIs are at the heart of most digital transformations today , so it is paramount for APAC businesses to understand their industry ’ s trends and relevant threats , like loyalty fraud , abuse , authorization and carding attacks . y APAC organizations need to think about compliance requirements and emerging legislation early in their security strategy process to avoid the need to re-architect . Examples include section 6 of the upcoming Payment Card Industry Data Security y Standard ( PCI DSS ) v4.0 on new API standards .
Other key findings in the report include :
“ Companies in APAC must ensure that the APIs they use are properly discovered and documented – and have complete visibility into their purpose and the risks they bring ,” said Koh .
“ Businesses also need to keep themselves updated on API threats – especially on emerging ones like API business logic abuse – and follow industry guidelines to protect against misconfiguration and vulnerabilities . Our new report provides key insights to help organizations leverage best practices to enhance security , as the use of APIs become more prevalent across all industries .” p
74 INTELLIGENTCIO APAC www . intelligentcio . com